Root users can currently kill the com.google.santa.daemon process. It will be immediately restarted by sysextd but this opens a very brief window where protection is lost. Hooking ES_EVENT_TYPE_AUTH_SIGNAL and blocking all signals to the santad process prevents this and it doesn't interfere with upgrades.
mlw
commented
1 month ago
Root users can currently kill the
com.google.santa.daemonprocess. It will be immediately restarted by sysextd but this opens a very brief window where protection is lost. HookingES_EVENT_TYPE_AUTH_SIGNALand blocking all signals to the santad process prevents this and it doesn't interfere with upgrades.